General
Target

Dhl Delivery Note-AWD 20..exe

Filesize

1MB

Completed

21-05-2022 18:44

Task

behavioral1

Score
10/10
MD5

43551c02e6787632bdf7554c574b5a75

SHA1

61d7c6b2e866753dbe2bac753f40dd07b92fcbb8

SHA256

4e3a7f2270566e6534f299b536b5dea5137b0057678294af6fb6eab72831b352

SHA512

798d61d242fd7e92da537e0b28cb384d14bb97d126f427185445131563cee18efac6d9330e7c0c15b3a05a36ea29112c6b6be33d65df7a2c579e45de08bc4aae

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

91.193.75.46:1985

127.0.0.1:1985

Attributes
activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-12-17T13:54:31.653530336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1985
default_group
ABAMOTORS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8bde6b73-d046-43fc-8deb-fc5ce8cb57c7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
91.193.75.46
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000
Signatures 10

Filter: none

Persistence
  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Drops startup file
    Dhl Delivery Note-AWD 20..exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\appidpolicyconverter.urlDhl Delivery Note-AWD 20..exe
  • Suspicious use of SetThreadContext
    Dhl Delivery Note-AWD 20..exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1768 set thread context of 12241768Dhl Delivery Note-AWD 20..exeMSBuild.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1600schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    MSBuild.exeDhl Delivery Note-AWD 20..exe

    Reported IOCs

    pidprocess
    1224MSBuild.exe
    1224MSBuild.exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
  • Suspicious behavior: GetForegroundWindowSpam
    MSBuild.exe

    Reported IOCs

    pidprocess
    1224MSBuild.exe
  • Suspicious use of AdjustPrivilegeToken
    MSBuild.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1224MSBuild.exe
    Token: SeDebugPrivilege1224MSBuild.exe
  • Suspicious use of FindShellTrayWindow
    Dhl Delivery Note-AWD 20..exe

    Reported IOCs

    pidprocess
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
  • Suspicious use of SendNotifyMessage
    Dhl Delivery Note-AWD 20..exe

    Reported IOCs

    pidprocess
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
    1768Dhl Delivery Note-AWD 20..exe
  • Suspicious use of WriteProcessMemory
    Dhl Delivery Note-AWD 20..exeMSBuild.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1768 wrote to memory of 12241768Dhl Delivery Note-AWD 20..exeMSBuild.exe
    PID 1768 wrote to memory of 12241768Dhl Delivery Note-AWD 20..exeMSBuild.exe
    PID 1768 wrote to memory of 12241768Dhl Delivery Note-AWD 20..exeMSBuild.exe
    PID 1768 wrote to memory of 12241768Dhl Delivery Note-AWD 20..exeMSBuild.exe
    PID 1768 wrote to memory of 12241768Dhl Delivery Note-AWD 20..exeMSBuild.exe
    PID 1768 wrote to memory of 12241768Dhl Delivery Note-AWD 20..exeMSBuild.exe
    PID 1224 wrote to memory of 16001224MSBuild.exeschtasks.exe
    PID 1224 wrote to memory of 16001224MSBuild.exeschtasks.exe
    PID 1224 wrote to memory of 16001224MSBuild.exeschtasks.exe
    PID 1224 wrote to memory of 16001224MSBuild.exeschtasks.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\Dhl Delivery Note-AWD 20..exe
    "C:\Users\Admin\AppData\Local\Temp\Dhl Delivery Note-AWD 20..exe"
    Drops startup file
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp707F.tmp"
        Creates scheduled task(s)
        PID:1600
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\tmp707F.tmp

                          MD5

                          ae766004c0d8792953bafffe8f6a2e3b

                          SHA1

                          14b12f27543a401e2fe0af8052e116cab0032426

                          SHA256

                          1abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540

                          SHA512

                          e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567

                        • memory/1224-65-0x0000000000400000-0x0000000000438000-memory.dmp

                        • memory/1224-66-0x0000000000400000-0x0000000000438000-memory.dmp

                        • memory/1224-68-0x0000000074540000-0x0000000074AEB000-memory.dmp

                        • memory/1224-57-0x0000000000400000-0x0000000000438000-memory.dmp

                        • memory/1224-64-0x000000000041E792-mapping.dmp

                        • memory/1224-59-0x0000000000400000-0x0000000000438000-memory.dmp

                        • memory/1600-69-0x0000000000000000-mapping.dmp

                        • memory/1768-54-0x0000000075C01000-0x0000000075C03000-memory.dmp

                        • memory/1768-55-0x0000000002720000-0x0000000002786000-memory.dmp

                        • memory/1768-56-0x0000000003120000-0x0000000003186000-memory.dmp